juretta.com

Home
Archive

Disable basic authentication for CouchDB running behind an Apache reverse proxy

Tags: Apache, Proxy, CouchDB, Futon, Rabbit MQ

I am currently using CouchDB version 0.9 for quite a few different projects on the production machine. CouchDB only accepts local connections, I ususally use either an SSH tunnel or an Apache virtual host to access the Futon administration interface.

The virtual host uses basic authentication and a reverse proxy to expose the CouchDB HTTP API and Futon. Apache will pass the authentication header to CouchDB which in turn invokes its authentication handler. As I am using CouchDB using a variety of different clients (Java based web application running in Tomcat, Rabbit MQ, a CouchDB/Rails project that is being tested by a Hudson continuous integration server, CLI apps and so forth) and I am not exposing CouchDB anyway I am not really keen on using the authentication mechanism CouchDB provides.

So I basically would like to let Apache take care of the access control and not having CouchDB invoking its authentication handler.

As far as I know there are basically two approaches to this problem.

The first is to set a null_authentication_handler in your CouchDB local.ini file (usually in $INSTALL_PREFIX/etc/couchdb/local.ini):

[httpd]
authentication_handler = {couch_httpd, null_authentication_handler}

Unfortunately the 0.9 release version does not seem to contain the null_authentication_handler and works on more recent CouchDB versions only.

This basically means that the proxy in front of CouchDB needs to strip the Authentication header.

This can be done for Apache by enabling the mod_headers module (a2enmod headers on Debian for example) and using the following line to unset the Authentication header:

RequestHeader unset Authorization

The following listing shows a setting similar to the one I am using for the virtual host:

<VirtualHost *:80>
        ServerName couchdb.example.com
        ServerAdmin admin@example.com


        ProxyRequests Off
        ProxyPreserveHost Off
        AllowEncodedSlashes On
        KeepAlive Off

        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>

        <Location />
                AuthType Basic
                AuthName "Couchdb Admin"
                AuthUserFile /etc/apache2/passwd
                Require valid-user
        </Location>

        ProxyPass / http://localhost:5984/ nocanon
        ProxyPassReverse / http://localhost:5984/
        RequestHeader unset Authorization

        ErrorLog /var/log/apache2/couchdb.example.com-error_log
        CustomLog /var/log/apache2/couchdb.example.com-access_log common
</VirtualHost>

About

This is the defunct blog of Stefan Saasen.